Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
10
Helpful
2
Replies

Cisco ISE 1.4 - Automatic Failover

Go to solution
abhijith891
Level 1
Level 1

‎10-15-2018 01:20 PM

Hi All,

 We have 4 ISEs in our environment, 3 of them in one DC(US) and 1 in another(Europe). We have a PAN in US which is configured as Primary in Administration, Secondary in Monitoring. The Europe ISE has 3 personas; i.e Primary in Monitoring, Secondary in Administration and also acts as a PSN. The remaining 2 nodes in US are acting as PSNs. 

 

We are considering to implement Automatic Failover so I would like know a few things:

 

i) Does a PAN and a health-check node necessarily need to be in the same DC? What are the possible issues that might come up if they are in different DC?

ii) For the above environment, which is the best way to implement automatic failover for all 3 personas - Administration, PSN and Monitoring?

 

Any suggestions/recommendations would be greatly appreciated.

 

  

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎10-16-2018 05:22 AM

I have always done the PAN healtcheck from devices in the same DC.  I can't speak to ramifications if you don't do that, but I have a few other points:

 

  1. For best performance your primary admin and M&T should be in the same location.  I would have the US node be the primary PAN and M&T.
  2. For M&T redundancy you don't need to do anything special.  All nodes log to both M&Ts automatically and the deployment will switch M&Ts as needed based on availability.
  3. Your PSN redundancy is determined by your network devices.  If you want in US they can point to US PSNs first then Europe.  In Europe the network devices can point to Europe first then US.

 

View solution in original post

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎10-16-2018 05:32 AM

Good points. Also recommend moving to ise 2.2 (current recommended release) or even 2.4 now that several patches have been out as there are a lot of changes

Ise 1.4 is end of support

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-738841.html

View solution in original post

2 Replies 2

Go to solution
paul
Level 10
Level 10

‎10-16-2018 05:22 AM

I have always done the PAN healtcheck from devices in the same DC.  I can't speak to ramifications if you don't do that, but I have a few other points:

 

  1. For best performance your primary admin and M&T should be in the same location.  I would have the US node be the primary PAN and M&T.
  2. For M&T redundancy you don't need to do anything special.  All nodes log to both M&Ts automatically and the deployment will switch M&Ts as needed based on availability.
  3. Your PSN redundancy is determined by your network devices.  If you want in US they can point to US PSNs first then Europe.  In Europe the network devices can point to Europe first then US.

 

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎10-16-2018 05:32 AM

Good points. Also recommend moving to ise 2.2 (current recommended release) or even 2.4 now that several patches have been out as there are a lot of changes

Ise 1.4 is end of support

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-738841.html
Customers Also Viewed These Support Documents